shim fails to load MokManager (mmx64.efi) in the case of unsigned grub
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
[see debian bug #860716 as well]
I test shim-signed with qemu in secure boot environment. Here is the steps
to reproduce a problem:
1) install shim, shim-signed, qemu and ovmf packages
2) get EnrollDefaultKe
https:/
3) create a efi_test directory with shim binaries, grub and EnrollDefaultKe
mkdir efi_test
cp /usr/lib/
rename 's/[.]signed$//' efi_test/*
cp /boot/efi/
cp EnrollDefaultKe
4) so we have in efi_test/
LANG=C ls -la efi_test/
drwxr-xr-x 2 kl kl 4096 Apr 19 12:10 .
drwxr-xr-x 5 kl kl 4096 Apr 19 11:52 ..
-rw-r--r-- 1 kl kl 20032 Apr 19 11:55 EnrollDefaultKe
-rw-r--r-- 1 kl kl 72144 Apr 19 11:52 fbx64.efi
-rwxr-xr-x 1 kl kl 121856 Apr 19 12:10 grubx64.efi
-rw-r--r-- 1 kl kl 1168464 Apr 19 12:05 mmx64.efi
-rw-r--r-- 1 kl kl 1169528 Apr 19 11:52 shimx64.efi
5) run qemu with ovmf firmware
qemu-
6) import microsoft keys and enable secure boot (from EFI shell)
Shell> fs0:
FS0:\> EnrollDefaultKe
info: SetupMode=1 SecureBoot=0 SecureBootEnabled=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnabled=1 CustomMode=0 VendorKeys=0
info: success
7) reboot virtual machine (from EFI shell)
FS0:\> reset
8) run shim (from EFI shell)
Shell> fs0:
FS0:\> shimx64.efi
9) expected result:
MokManager (mmx64.efi) will be started
10) actual result:
Verification failed: (15) Access Denied
Failed to load image: Access Denied
start_image() returned Access Denied
start_image() returned Access Denied
and we back to EFI shell.
Thus it's not possible to install user keys or add user
loader to trusted binary database.
-------
The following upsteram patch will resolve a problem:
https:/
Changed in shim (Ubuntu): | |
importance: | Undecided → Low |
This is a low priority bug for ubuntu, cause it has grub2-signed package. But in debian case it becomes problematic as debian has no grub2-signed package. Thus users must use self-compiled monolith grub2 package. Evidently this package is not signed with Debian key, and hence it can't be loaded.